chamilo
/
chamilo-lms
mirror of https://github.com/chamilo/chamilo-lms/tree/1.11.x
2
0
Fork 0
Code Issues Projects Releases Wiki Activity

Add security fixes

Browse Source
pull/4101/head
Julio Montoya 5 years ago
parent 92eeef4245
commit e48aaee06e
49 changed files with 448 additions and 361 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 4
      .htaccess
  2. 5
      main/admin/add_courses_to_usergroup.php
  3. 16
      main/admin/course_export.php
  4. 9
      main/admin/course_list.php
  5. 8
      main/admin/course_request_rejected.php
  6. 6
      main/admin/course_request_review.php
  7. 4
      main/admin/export_certificates.php
  8. 17
      main/admin/settings.lib.php
  9. 1
      main/cron/lang/langstats.class.php
  10. 4
      main/document/document.php
  11. 17
      main/exercise/TestCategory.php
  12. 6
      main/exercise/exercise.class.php
  13. 41
      main/forum/forumfunction.inc.php
  14. 6
      main/group/group_space.php
  15. 12
      main/inc/ajax/course.ajax.php
  16. 2
      main/inc/ajax/exercise.ajax.php
  17. 75
      main/inc/ajax/model.ajax.php
  18. 2
      main/inc/lib/TicketManager.php
  19. 36
      main/inc/lib/agenda.lib.php
  20. 38
      main/inc/lib/api.lib.php
  21. 29
      main/inc/lib/course.lib.php
  22. 64
      main/inc/lib/database.lib.php
  23. 16
      main/inc/lib/exercise.lib.php
  24. 10
      main/inc/lib/extra_field.lib.php
  25. 112
      main/inc/lib/fileUpload.lib.php
  26. 39
      main/inc/lib/groupmanager.lib.php
  27. 26
      main/inc/lib/myspace.lib.php
  28. 6
      main/inc/lib/notebook.lib.php
  29. 10
      main/inc/lib/nusoap/class.wsdl.php
  30. 18
      main/inc/lib/online.inc.php
  31. 28
      main/inc/lib/sessionmanager.lib.php
  32. 8
      main/inc/lib/statistics.lib.php
  33. 7
      main/inc/lib/tracking.lib.php
  34. 8
      main/inc/lib/usermanager.lib.php
  35. 6
      main/inc/lib/zombie/zombie_manager.class.php
  36. 4
      main/permissions/roles.php
  37. 4
      main/session/session_category_list.php
  38. 7
      main/session/session_course_list.php
  39. 11
      main/session/session_course_user_list.php
  40. 1
      main/upload/index.php
  41. 1
      main/upload/upload.document.php
  42. 3
      main/upload/upload.php
  43. 1
      main/upload/upload_ppt.php
  44. 1
      main/upload/upload_word.php
  45. 4
      main/user/subscribe_user.php
  46. 5
      main/webservices/cm_webservice_inbox.php
  47. 2
      main/webservices/cm_webservice_user.php
  48. 65
      main/work/work.lib.php
  49. 4
      plugin/notebookteacher/src/NotebookTeacher.php

4
.htaccess
Unescape View File

@ -12,7 +12,7 @@ RewriteEngine on
RedirectMatch 403 ^/app/(?!courses/proxy)(cache|courses|home|logs|upload|Resources/public/css)/.*\.ph(p[3457]?|t|tml|ar)$
RedirectMatch 403 ^/main/default_course_document/images/.*\.ph(p[3457]?|t|tml|ar)$
RedirectMatch 403 ^/main/lang/.*\.ph(p[3457]?|t|tml|ar)$
RedirectMatch 403 ^/web/css/.*\.ph(p[3457]?|t|tml|ar)$
RedirectMatch 403 ^/web/.*\.ph(p[3457]?|t|tml|ar)$
# http://my.chamilo.net/certificates/?id=123 to http://my.chamilo.net/certificates/index.php?id=123
RewriteCond %{QUERY_STRING} ^id=(.*)$
@ -78,6 +78,8 @@ RewriteRule ^([^/.]+)/?$ user.php?$1 [L]
# Deny direct access to user my files
RewriteRule ^app/upload/users/([^/]+)/([^/]+)/my_files/(.*)$ main/social/download_my_files.php?user_id=$2&file=$3 [QSA,L]
# Deny access
RewriteRule ^(tests|.git) - [F,L,NC]
# Add caching of woff font files to avoid loading 2*15KB each time with Chamilo
# default OpenSans font

5
main/admin/add_courses_to_usergroup.php
Unescape View File

@ -1,8 +1,5 @@
<?php
/* For licensing terms, see /license.txt */
/**
* @package chamilo.admin
*/
// Resetting the course id.
$cidReset = true;
@ -145,7 +142,7 @@ function search($needle, $type)
$list = CourseManager::get_courses_list(
0,
0,
2,
'title',
'ASC',
-1,
$needle

16
main/admin/course_export.php
Unescape View File

@ -3,8 +3,6 @@
/**
* This tool allows platform admins to export courses to CSV file.
*
* @package chamilo.admin
*/
$cidReset = true;
@ -18,16 +16,24 @@ $interbreadcrumb[] = ['url' => 'index.php', 'name' => get_lang('PlatformAdmin')]
set_time_limit(0);
$course_list = CourseManager::get_courses_list();
$course_list = CourseManager::get_courses_list(
0,
0,
'title',
'ASC',
-1,
'',
api_get_current_access_url_id()
);
$formSent = null;
$courses = $selected_courses = [];
if (isset($_POST['formSent']) && $_POST['formSent']) {
$formSent = $_POST['formSent'];
$select_type = intval($_POST['select_type']);
$select_type = (int) ($_POST['select_type']);
$file_type = $_POST['file_type'];
if ($select_type == 2) {
if (2 == $select_type) {
// Get selected courses from courses list in form sent
$selected_courses = $_POST['course_code'];
if (is_array($selected_courses)) {

9
main/admin/course_list.php
Unescape View File

@ -244,6 +244,13 @@ function get_course_data_by_session($from, $number_of_items, $column, $direction
$session_rel_course = Database::get_main_table(TABLE_MAIN_SESSION_COURSE);
$session = Database::get_main_table(TABLE_MAIN_SESSION);
$from = (int) $from;
$number_of_items = (int) $number_of_items;
$column = (int) $column;
if (!in_array(strtolower($direction), ['asc', 'desc'])) {
$direction = 'desc';
}
$sql = "SELECT
c.code AS col0,
c.title AS col1,
@ -264,7 +271,7 @@ function get_course_data_by_session($from, $number_of_items, $column, $direction
";
if (isset($_GET['session_id']) && !empty($_GET['session_id'])) {
$sessionId = intval($_GET['session_id']);
$sessionId = (int) $_GET['session_id'];
$sql .= " WHERE s.id = ".$sessionId;
}

8
main/admin/course_request_rejected.php
Unescape View File

@ -4,8 +4,6 @@
/**
* A list containing the rejected course requests.
*
* @package chamilo.admin
*
* @author José Manuel Abuin Mosquera <chema@cesga.es>, 2010
* @author Bruno Rubio Gayo <brubio@cesga.es>, 2010
* Centro de Supercomputacion de Galicia (CESGA)
@ -114,9 +112,9 @@ function get_request_data($from, $number_of_items, $column, $direction)
$keyword = isset($_GET['keyword']) ? Database::escape_string(trim($_GET['keyword'])) : '';
$course_request_table = Database::get_main_table(TABLE_MAIN_COURSE_REQUEST);
$from = intval($from);
$number_of_items = intval($number_of_items);
$column = intval($column);
$from = (int) $from;
$number_of_items = (int) $number_of_items;
$column = (int) $column;
$direction = !in_array(strtolower(trim($direction)), ['asc', 'desc']) ? 'asc' : $direction;
$sql = "SELECT

6
main/admin/course_request_review.php
Unescape View File

@ -4,8 +4,6 @@
/**
* A list containing the pending course requests.
*
* @package chamilo.admin
*
* @author José Manuel Abuin Mosquera <chema@cesga.es>, 2010
* Centro de Supercomputacion de Galicia (CESGA)
* @author Ivan Tcholakov <ivantcholakov@gmail.com> (technical adaptation for Chamilo 1.8.8), 2010
@ -129,6 +127,10 @@ function get_request_data($from, $number_of_items, $column, $direction)
{
global $keyword;
$course_request_table = Database::get_main_table(TABLE_MAIN_COURSE_REQUEST);
$from = (int) $from;
$number_of_items = (int) $number_of_items;
$column = (int) $column;
$direction = !in_array(strtolower(trim($direction)), ['asc', 'desc']) ? 'asc' : $direction;
if (DELETE_ACTION_ENABLED) {
$sql = "SELECT id AS col0,

4
main/admin/export_certificates.php
Unescape View File

@ -1,11 +1,9 @@
<?php
/* For licensing terms, see /license.txt */
/**
* @package chamilo.admin
*/
$cidReset = true;
require_once __DIR__.'/../inc/global.inc.php';
api_protect_admin_script(true);
Display::display_header(null);
$form = new FormValidator('export_certificate');

17
main/admin/settings.lib.php
Unescape View File

@ -13,8 +13,6 @@ use Symfony\Component\Filesystem\Filesystem;
* @author Guillaume Viguier <guillaume@viguierjust.com>
*
* @since Chamilo 1.8.7
*
* @package chamilo.admin
*/
define('CSS_UPLOAD_PATH', api_get_path(SYS_APP_PATH).'Resources/public/css/themes/');
@ -44,7 +42,7 @@ function handleRegions()
$installed_plugins = $plugin_obj->getInstalledPlugins();
echo '<form name="plugins" method="post" action="'.api_get_self().'?category='.Security::remove_XSS($_GET['category']).'">';
echo '<table class="data_table">';
echo '<table class="table table-hover table-striped data_table">';
echo '<tr>';
echo '<th width="400px">';
echo get_lang('Plugin');
@ -1026,6 +1024,10 @@ function getTemplateData($from, $number_of_items, $column, $direction)
// Database table definition.
$table_system_template = Database::get_main_table('system_template');
$from = (int) $from;
$number_of_items = (int) $number_of_items;
$column = (int) $column;
$direction = !in_array(strtolower(trim($direction)), ['asc', 'desc']) ? 'asc' : $direction;
// The sql statement.
$sql = "SELECT image as col0, title as col1, id as col2 FROM $table_system_template";
$sql .= " ORDER BY col$column $direction ";
@ -1371,10 +1373,6 @@ function select_gradebook_default_grade_model_id()
* @param array $settings
* @param array $settings_by_access_list
*
* @throws \Doctrine\ORM\ORMException
* @throws \Doctrine\ORM\OptimisticLockException
* @throws \Doctrine\ORM\TransactionRequiredException
*
* @return FormValidator
*/
function generateSettingsForm($settings, $settings_by_access_list)
@ -1839,6 +1837,11 @@ function getAllowedFileTypes()
'webp',
'woff',
'woff2',
'md',
'html',
'xml',
'markdown',
'txt',
];
return $allowedFiles;

1
main/cron/lang/langstats.class.php
Unescape View File

@ -152,6 +152,7 @@ class langstats
*/
public function get_popular_terms($num = 1000)
{
$num = (int) $num;
$res = $this->db->query(
'SELECT * FROM lang_freq ORDER BY term_count DESC LIMIT '.$num
);

4
main/document/document.php
Unescape View File

@ -25,8 +25,6 @@ use ChamiloSession as Session;
* 2) Define the directory to display
* 3) Read files and directories from the directory defined in part 2
* 4) Display all of that on an HTML page
*
* @package chamilo.document
*/
require_once __DIR__.'/../inc/global.inc.php';
@ -796,7 +794,7 @@ function convertModal (id, format) {
var formatTarget = $(this).val();
window.location.href = "'
.api_get_self().'?'.api_get_cidreq()
.'&curdirpath='.$curdirpath
.'&curdirpath='.$curdirpathurl
.'&action=convertToPdf&formatTarget='
.'" + formatTarget + "&id=" + id + "&'
.api_get_cidreq().'&formatType=" + format;

17
main/exercise/TestCategory.php
Unescape View File

@ -158,7 +158,7 @@ class TestCategory
public function modifyCategory($courseId = 0)
{
$table = Database::get_course_table(TABLE_QUIZ_QUESTION_CATEGORY);
$id = intval($this->id);
$id = (int) $this->id;
$name = Database::escape_string($this->name);
$description = Database::escape_string($this->description);
$cat = $this->getCategory($id, $courseId);
@ -175,7 +175,6 @@ class TestCategory
WHERE id = $id AND c_id = ".$courseId;
Database::query($sql);
// item_property update
api_item_property_update(
$courseInfo,
TOOL_TEST_CATEGORY,
@ -236,7 +235,7 @@ class TestCategory
$field = Database::escape_string($field);
$sql = "SELECT $field FROM $table
WHERE c_id = $courseId
ORDER BY $field ASC";
ORDER BY `$field` ASC";
$res = Database::query($sql);
while ($row = Database::fetch_array($res)) {
$categories[] = $row[$field];
@ -330,9 +329,7 @@ class TestCategory
}
/**
* Return the list of differents categories ID for a test in the current course
* input : test_id
* return : array of category id (integer)
* Return the list of different categories ID for a test in the current course
* hubert.borderiou 07-04-2011.
*
* @param int $exerciseId
@ -342,7 +339,7 @@ class TestCategory
*/
public static function getListOfCategoriesIDForTest($exerciseId, $courseId = 0)
{
// parcourir les questions d'un test, recup les categories uniques dans un tableau
// Check test questions, obtaining unique categories in a table
$exercise = new Exercise($courseId);
$exercise->read($exerciseId, false);
$categoriesInExercise = $exercise->getQuestionWithCategories();
@ -358,13 +355,11 @@ class TestCategory
}
/**
* @param Exercise $exercise
*
* @return array
*/
public static function getListOfCategoriesIDForTestObject(Exercise $exercise)
{
// parcourir les questions d'un test, recup les categories uniques dans un tableau
// Check the categories of a test, obtaining unique categories in table
$categories_in_exercise = [];
$question_list = $exercise->getQuestionOrderedListByName();
@ -418,8 +413,6 @@ class TestCategory
}
/**
* @param Exercise $exercise
*
* @return array
*/
public static function getListOfCategoriesForTest(Exercise $exercise)

6
main/exercise/exercise.class.php
Unescape View File

@ -12,8 +12,6 @@ use Doctrine\DBAL\Types\Type;
*
* Allows to instantiate an object of type Exercise
*
* @package chamilo.exercise
*
* @todo use getters and setters correctly
*
* @author Olivier Brouckaert
@ -657,9 +655,9 @@ class Exercise
$orderCondition = ' ORDER BY question_order ';
if (!empty($sidx) && !empty($sord)) {
if ($sidx === 'question') {
if ('question' === $sidx) {
if (in_array(strtolower($sord), ['desc', 'asc'])) {
$orderCondition = " ORDER BY q.$sidx $sord";
$orderCondition = " ORDER BY `q.$sidx` $sord";
}
}
}

41
main/forum/forumfunction.inc.php
Unescape View File

@ -49,8 +49,8 @@ function setFocus() {
$htmlHeadXtra[] = api_get_jquery_libraries_js(['jquery-ui', 'jquery-upload']);
// Recover Thread ID, will be used to generate delete attachment URL to do ajax
$threadId = isset($_REQUEST['thread']) ? intval($_REQUEST['thread']) : 0;
$forumId = isset($_REQUEST['forum']) ? intval($_REQUEST['forum']) : 0;
$threadId = isset($_REQUEST['thread']) ? (int) ($_REQUEST['thread']) : 0;
$forumId = isset($_REQUEST['forum']) ? (int) ($_REQUEST['forum']) : 0;
$ajaxUrl = api_get_path(WEB_AJAX_PATH).'forum.ajax.php?'.api_get_cidreq();
// The next javascript script is to delete file by ajax
@ -492,13 +492,13 @@ function delete_forum_image($forum_id)
{
$table_forums = Database::get_course_table(TABLE_FORUM);
$course_id = api_get_course_int_id();
$forum_id = intval($forum_id);
$forum_id = (int) $forum_id;
$sql = "SELECT forum_image FROM $table_forums
WHERE forum_id = $forum_id AND c_id = $course_id";
$result = Database::query($sql);
$row = Database::fetch_array($result);
if ($row['forum_image'] != '') {
if ('' != $row['forum_image']) {
$file = api_get_path(SYS_COURSE_PATH).api_get_course_path().'/upload/forum/images/'.$row['forum_image'];
if (file_exists($file)) {
unlink($file);
@ -1256,9 +1256,9 @@ function return_visible_invisible_icon(
function return_lock_unlock_icon($content, $id, $current_lock_status, $additional_url_parameters = '')
{
$html = '';
$id = intval($id);
$id = (int) $id;
//check if the forum is blocked due
if ($content == 'thread') {
if ('thread' == $content) {
if (api_resource_is_locked_by_gradebook($id, LINK_FORUM_THREAD)) {
$html .= Display::return_icon(
'lock_na.png',
@ -1270,7 +1270,7 @@ function return_lock_unlock_icon($content, $id, $current_lock_status, $additiona
return $html;
}
}
if ($current_lock_status == '1') {
if ('1' == $current_lock_status) {
$html .= '<a href="'.api_get_self().'?'.api_get_cidreq().'&';
if (is_array($additional_url_parameters)) {
foreach ($additional_url_parameters as $key => $value) {
@ -1280,7 +1280,7 @@ function return_lock_unlock_icon($content, $id, $current_lock_status, $additiona
$html .= 'action=unlock&content='.$content.'&id='.$id.'">'.
Display::return_icon('lock.png', get_lang('Unlock'), [], ICON_SIZE_SMALL).'</a>';
}
if ($current_lock_status == '0') {
if ('0' == $current_lock_status) {
$html .= '<a href="'.api_get_self().'?'.api_get_cidreq().'&';
if (is_array($additional_url_parameters)) {
foreach ($additional_url_parameters as $key => $value) {
@ -1460,7 +1460,7 @@ function move_up_down($content, $direction, $id)
$table_forums = Database::get_course_table(TABLE_FORUM);
$table_item_property = Database::get_course_table(TABLE_ITEM_PROPERTY);
$course_id = api_get_course_int_id();
$id = intval($id);
$id = (int) $id;
// Determine which field holds the sort order.
if ($content == 'forumcategory') {
@ -1915,9 +1915,9 @@ function get_last_post_by_thread($course_id, $thread_id, $forum_id, $show_visibl
return false;
}
$thread_id = intval($thread_id);
$forum_id = intval($forum_id);
$course_id = intval($course_id);
$thread_id = (int) $thread_id;
$forum_id = (int) $forum_id;
$course_id = (int) $course_id;
$table_posts = Database::get_course_table(TABLE_FORUM_POST);
$sql = "SELECT * FROM $table_posts
@ -3509,16 +3509,19 @@ function saveThreadScore(
$threadInfo,
$user_id,
$thread_id,
$thread_qualify = 0,
$thread_qualify,
$qualify_time,
$session_id = 0
$session_id
) {
$table_threads_qualify = Database::get_course_table(TABLE_FORUM_THREAD_QUALIFY);
$table_threads = Database::get_course_table(TABLE_FORUM_THREAD);
$course_id = api_get_course_int_id();
$session_id = intval($session_id);
$session_id = (int) $session_id;
$thread_id = (int) $thread_id;
$user_id = (int) $user_id;
$currentUserId = api_get_user_id();
$qualify_time = Database::escape_string($qualify_time);
if ($user_id == strval(intval($user_id)) &&
$thread_id == strval(intval($thread_id)) &&
@ -3714,7 +3717,9 @@ function saveThreadScoreHistory(
$table_threads_qualify = Database::get_course_table(TABLE_FORUM_THREAD_QUALIFY);
$table_threads_qualify_log = Database::get_course_table(TABLE_FORUM_THREAD_QUALIFY_LOG);
$course_id = intval($course_id);
$thread_id = (int) $thread_id;
$course_id = (int) $course_id;
$user_id = (int) $user_id;
$qualify_user_id = api_get_user_id();
if ($user_id == strval(intval($user_id)) &&
@ -6116,6 +6121,7 @@ function get_thread_user_post_limit($course_code, $thread_id, $user_id, $limit =
$course_info = api_get_course_info($course_code);
$course_id = $course_info['real_id'];
$limit = (int) $limit;
$sql = "SELECT * FROM $table_posts posts
LEFT JOIN $table_users users
@ -6124,7 +6130,8 @@ function get_thread_user_post_limit($course_code, $thread_id, $user_id, $limit =
posts.c_id = $course_id AND
posts.thread_id='".Database::escape_string($thread_id)."' AND
posts.poster_id='".Database::escape_string($user_id)."'
ORDER BY posts.post_id DESC LIMIT $limit ";
ORDER BY posts.post_id DESC
LIMIT $limit ";
$result = Database::query($sql);
$post_list = [];
while ($row = Database::fetch_array($result)) {

6
main/group/group_space.php
Unescape View File

@ -5,8 +5,6 @@
* This script shows the group space for one specific group, possibly displaying
* a list of users in the group, subscribe or unsubscribe option, tutors...
*
* @package chamilo.group
*
* @todo Display error message if no group ID specified
*/
require_once __DIR__.'/../inc/global.inc.php';
@ -117,8 +115,6 @@ if (!empty($current_group['description'])) {
echo '<p>'.Security::remove_XSS($current_group['description']).'</p>';
}
//if (GroupManager::userHasAccessToBrowse($user_id, $this_group, $session_id)) {
// If the user is subscribed to the group or the user is a tutor of the group then
if (api_is_allowed_to_edit(false, true) ||
GroupManager::userHasAccessToBrowse($user_id, $current_group, api_get_session_id())
@ -422,8 +418,10 @@ function get_number_of_group_users()
*/
function get_group_user_data($from, $number_of_items, $column, $direction)
{
$direction = !in_array(strtolower(trim($direction)), ['asc', 'desc']) ? 'asc' : $direction;
$groupInfo = GroupManager::get_group_properties(api_get_group_id());
$course_id = api_get_course_int_id();
$column = (int) $column;
if (empty($groupInfo) || empty($course_id)) {
return 0;

12
main/inc/ajax/course.ajax.php
Unescape View File

@ -145,14 +145,14 @@ switch ($action) {
//TODO change this function to search not only courses STARTING with $_GET['q']
if (api_is_platform_admin()) {
$courseList = CourseManager::get_courses_list(
0, //offset
0, //howMany
1, //$orderby = 1
0,
0,
'title',
'ASC',
-1, //visibility
-1,
$_GET['q'],
null, //$urlId
true //AlsoSearchCode
null,
true
);
} elseif (api_is_teacher()) {
$courseList = CourseManager::get_course_list_of_user_as_course_admin(api_get_user_id(), $_GET['q']);

2
main/inc/ajax/exercise.ajax.php
Unescape View File

@ -228,7 +228,7 @@ switch ($action) {
GROUP BY exe_user_id
) as aa
ON aa.exe_user_id = user_id
ORDER BY $sidx $sord
ORDER BY `$sidx` $sord
LIMIT $start, $limit";
$result = Database::query($sql);

75
main/inc/ajax/model.ajax.php
Unescape View File

@ -43,14 +43,17 @@ if (!in_array(
$action,
[
'get_exercise_results',
'get_exercise_pending_results',
'get_exercise_results_report',
'get_work_student_list_overview',
'get_hotpotatoes_exercise_results',
'get_work_teacher',
'get_work_student',
'get_all_work_student',
'get_work_user_list',
'get_work_user_list_others',
'get_work_user_list_all',
'get_work_pending_list',
'get_timelines',
'get_user_skill_ranking',
'get_usergroups',
@ -435,9 +438,7 @@ switch ($action) {
$courseCodeList = [];
foreach ($sessionList as $session) {
$courses = SessionManager::get_course_list_by_session_id(
$session['id']
);
$courses = SessionManager::get_course_list_by_session_id($session['id']);
$courseCodeList = array_merge(
$courseCodeList,
array_column($courses, 'code')
@ -490,7 +491,7 @@ switch ($action) {
break;
}
if ($action == 'get_user_course_report') {
if ($action === 'get_user_course_report') {
$count = CourseManager::get_count_user_list_from_course_code(
false,
null,
@ -521,11 +522,11 @@ switch ($action) {
break;
case 'get_work_teacher':
require_once api_get_path(SYS_CODE_PATH).'work/work.lib.php';
$count = getWorkListTeacher(0, $limit, $sidx, $sord, $whereCondition, true);
$count = getWorkListTeacher(0, $limit, null, null, $whereCondition, true);
break;
case 'get_work_student':
require_once api_get_path(SYS_CODE_PATH).'work/work.lib.php';
$count = getWorkListStudent(0, $limit, $sidx, $sord, $whereCondition, true);
$count = getWorkListStudent(0, $limit, null, null, $whereCondition, true);
break;
case 'get_work_user_list_all':
require_once api_get_path(SYS_CODE_PATH).'work/work.lib.php';
@ -552,8 +553,8 @@ switch ($action) {
$count = get_work_user_list(
0,
$limit,
$sidx,
$sord,
null,
null,
$work_id,
$whereCondition,
null,
@ -563,8 +564,8 @@ switch ($action) {
$count = get_work_user_list_from_documents(
0,
$limit,
$sidx,
$sord,
null,
null,
$work_id,
api_get_user_id(),
$whereCondition,
@ -829,6 +830,7 @@ switch ($action) {
$obj->protectScript();
$type = isset($_REQUEST['type']) ? $_REQUEST['type'] : 'registered';
$groupFilter = isset($_REQUEST['group_filter']) ? (int) $_REQUEST['group_filter'] : 0;
$keyword = isset($_REQUEST['keyword']) ? $_REQUEST['keyword'] : '';
$course_id = api_get_course_int_id();
if ($type === 'registered') {
$count = $obj->getUserGroupByCourseWithDataCount(
@ -879,6 +881,7 @@ switch ($action) {
$columns = ['name', 'actions'];
$manager = new ExerciseCategoryManager();
$sidx = in_array($sidx, $columns) ? $sidx : 'name';
$result = $manager->get_all([
'where' => ['c_id = ? ' => $courseId],
'order' => "$sidx $sord",
@ -907,6 +910,7 @@ switch ($action) {
break;
case 'get_learning_path_calendars':
$columns = ['title', 'total_hours', 'minutes_per_day', 'actions'];
$sidx = in_array($sidx, $columns) ? $sidx : 'title';
$result = $calendarPlugin->getCalendars(
$start,
$limit,
@ -916,6 +920,7 @@ switch ($action) {
break;
case 'course_log_events':
$columns = ['0', '1', '2', '3', '4', '5', '6', '7', '8', '9'];
$sidx = in_array($sidx, $columns) ? $sidx : '0';
$result = Statistics::getActivitiesData(
$start,
$limit,
@ -929,6 +934,7 @@ switch ($action) {
$columns = ['subject', 'date', 'sent', 'actions'];
$sessionId = isset($_REQUEST['session_id']) ? (int) $_REQUEST['session_id'] : 0;
$sidx = in_array($sidx, $columns) ? $sidx : 'subject';
$result = Database::select(
'*',
$object->table,
@ -946,6 +952,7 @@ switch ($action) {
break;
case 'get_group_reporting':
$columns = ['name', 'time', 'progress', 'score', 'works', 'messages', 'actions'];
$sidx = in_array($sidx, $columns) ? $sidx : 'name';
$result = Tracking::get_group_reporting(
$course_id,
@ -961,6 +968,7 @@ switch ($action) {
break;
case 'get_course_exercise_medias':
$columns = ['question'];
$sidx = in_array($sidx, $columns) ? $sidx : 'question';
$result = Question::get_course_medias(
$course_id,
$start,
@ -1008,9 +1016,6 @@ switch ($action) {
}
}
if (!in_array($sidx, ['training_hours'])) {
//$sidx = 'training_hours';
}
if (api_is_student_boss() && empty($userIdList)) {
$result = [];
@ -1021,7 +1026,7 @@ switch ($action) {
null,
null,
"LIMIT $start, $limit",
null, //" $sidx $sord",
null,
null,
null,
true,
@ -1150,6 +1155,7 @@ switch ($action) {
'currently_learning',
'rank',
];
$sidx = in_array($sidx, $columns) ? $sidx : 'firstname';
$result = $skill->getUserListSkillRanking(
$start,
$limit,
@ -1191,6 +1197,7 @@ switch ($action) {
$titleToSearch = isset($_REQUEST['title_to_search']) ? $_REQUEST['title_to_search'] : '';
$userIdToSearch = isset($_REQUEST['user_id_to_search']) ? $_REQUEST['user_id_to_search'] : 0;
$sidx = in_array($sidx, $columns) ? $sidx : 'title';
$result = AnnouncementManager::getAnnouncements(
null,
null,
@ -1213,6 +1220,7 @@ switch ($action) {
'amount',
'actions',
];
$sidx = in_array($sidx, $columns) ? $sidx : 'title';
$result = getWorkListTeacher(
$start,
$limit,
@ -1230,6 +1238,7 @@ switch ($action) {
'last_upload',
'others',
];
$sidx = in_array($sidx, $columns) ? $sidx : 'title';
$result = getWorkListStudent(
$start,
$limit,
@ -1268,6 +1277,7 @@ switch ($action) {
$whereCondition = " AND $whereCondition ";
$sidx = in_array($sidx, $columns) ? $sidx : 'title';
$result = get_work_user_list(
$start,
$limit,
@ -1300,6 +1310,7 @@ switch ($action) {
}
$whereCondition .= " AND u.user_id <> ".api_get_user_id();
$sidx = in_array($sidx, $columns) ? $sidx : 'firstname';
$result = get_work_user_list(
$start,
$limit,
@ -1314,7 +1325,7 @@ switch ($action) {
if (api_get_configuration_value('allow_compilatio_tool')) {
$plagiarismColumns = ['compilatio'];
}
if (isset($_GET['type']) && $_GET['type'] == 'simple') {
if (isset($_GET['type']) && $_GET['type'] === 'simple') {
$columns = [
'type', 'title', 'qualification', 'sent_date', 'qualificator_id',
];
@ -1330,6 +1341,7 @@ switch ($action) {
if (trim($whereCondition) === '1 = 1') {
$whereCondition = '';
}
$sidx = in_array($sidx, $columns) ? $sidx : 'title';
if (empty($documents)) {
$whereCondition .= ' AND u.user_id = '.api_get_user_id();
@ -1382,6 +1394,7 @@ switch ($action) {
}
}
$sidx = in_array($sidx, $columns) ? $sidx : 'firstname';
$result = ExerciseLib::get_exam_results_data(
$start,
$limit,
@ -1452,7 +1465,7 @@ switch ($action) {
if (!empty($categoryList)) {
foreach ($categoryList as $categoryInfo) {
$label = 'category_'.$categoryInfo['id'];
if ($operation == 'excel') {
if ($operation === 'excel') {
$columns[] = $label.'_score_percentage';
$columns[] = $label.'_only_score';
$columns[] = $label.'_total';
@ -1474,6 +1487,7 @@ switch ($action) {
}
$whereCondition .= " AND te.status = '' ";
$sidx = in_array($sidx, $columns) ? $sidx : 'firstname';
$result = ExerciseLib::get_exam_results_data(
$start,
@ -1499,6 +1513,7 @@ switch ($action) {
} else {
$columns = ['exe_date', 'score', 'actions'];
}
$sidx = in_array($sidx, $columns) ? $sidx : 'firstname';
$result = ExerciseLib::get_exam_results_hotpotatoes_data(
$start,
$limit,
@ -1517,6 +1532,7 @@ switch ($action) {
'student', 'works',
];
$sidx = in_array($sidx, $columns) ? $sidx : 'student';
$result = getWorkUserListData(
$workId,
api_get_course_id(),
@ -1537,6 +1553,7 @@ switch ($action) {
} else {
$columns = ['exe_date', 'score', 'actions'];
}
$sidx = in_array($sidx, $columns) ? $sidx : 'exe_date';
$result = ExerciseLib::get_exam_results_hotpotatoes_data(
$start,
$limit,
@ -1563,6 +1580,7 @@ switch ($action) {
$description
);
} else {
$sidx = in_array($sidx, $columns) ? $sidx : 'name';
// Sessions for the coach
$sessions = Tracking::get_sessions_coached_by_user(
api_get_user_id(),
@ -1643,6 +1661,8 @@ switch ($action) {
$session_columns = SessionManager::getGridColumns($list_type);
$columns = $session_columns['simple_column_name'];
$sidx = in_array($sidx, $columns) ? $sidx : 'name';
if ($list_type === 'simple' || $list_type === 'custom') {
$result = SessionManager::get_sessions_admin(
[
@ -1690,6 +1710,7 @@ switch ($action) {
'answer',
'correct',
];
$sidx = in_array($sidx, $columns) ? $sidx : 'quiz_title';
$result = Tracking::get_exercise_progress(
$sessionId,
@ -1720,14 +1741,12 @@ switch ($action) {
'firstname',
'lastname',
];
$lessons = LearnpathList::get_course_lessons(
$course['code'],
$sessionId
);
$lessons = LearnpathList::get_course_lessons($course['code'], $sessionId);
foreach ($lessons as $lesson_id => $lesson) {
$columns[] = $lesson_id;
}
$columns[] = 'total';
$sidx = in_array($sidx, $columns) ? $sidx : 'username';
$result = SessionManager::get_session_lp_progress(
$sessionId,
$courseId,
@ -1751,7 +1770,6 @@ switch ($action) {
$surveyId = intval($_GET['survey_id']);
$date_from = $_GET['date_from'];
$date_to = $_GET['date_to'];
//$course = api_get_course_info_by_id($courseId);
}
/**
* Add lessons of course.
@ -1768,6 +1786,7 @@ switch ($action) {
$columns[] = $question_id;
}
$sidx = in_array($sidx, $columns) ? $sidx : 'username';
$result = SessionManager::get_survey_overview(
$sessionId,
$courseId,
@ -1832,6 +1851,7 @@ switch ($action) {
$sessionId = intval($_GET['session_id']);
$courseId = intval($_GET['course_id']);
}
$sidx = in_array($sidx, $columns) ? $sidx : 'username';
$result = SessionManager::get_session_progress(
$sessionId,
$courseId,
@ -1864,6 +1884,7 @@ switch ($action) {
$date_from = intval($_GET['date_from']);
$date_to = intval($_GET['date_to']);
}
$sidx = in_array($sidx, $columns) ? $sidx : 'logindate';
$result = SessionManager::get_user_data_access_tracking_overview(
$sessionId,
@ -1885,6 +1906,7 @@ switch ($action) {
if (!in_array($sidx, $columns)) {
$sidx = 'headline';
}
$sidx = in_array($sidx, $columns) ? $sidx : 'headline';
$course_id = api_get_course_int_id();
$result = Database::select(
'*',
@ -2077,6 +2099,8 @@ switch ($action) {
case 'get_usergroups':
$obj->protectScript();
$columns = ['name', 'users', 'courses', 'sessions', 'group_type', 'actions'];
$sidx = in_array($sidx, $columns) ? $sidx : 'name';
$result = $obj->getUsergroupsPagination($sidx, $sord, $start, $limit);
break;
case 'get_extra_fields':
@ -2091,6 +2115,7 @@ switch ($action) {
'filter',
'field_order',
];
$sidx = in_array($sidx, $columns) ? $sidx : 'display_text';
$result = $obj->getAllGrid($sidx, $sord, $start, $limit);
$new_result = [];
if (!empty($result)) {
@ -2119,10 +2144,7 @@ switch ($action) {
break;
case 'get_exercise_grade':
$objExercise = new Exercise();
$exercises = $objExercise->getExercisesByCourseSession(
$_GET['course_id'],
$_GET['session_id']
);
$exercises = $objExercise->getExercisesByCourseSession($_GET['course_id'], $_GET['session_id']);
$cntExer = 4;
if (!empty($exercises)) {
$cntExer += count($exercises);
@ -2224,8 +2246,9 @@ switch ($action) {
case 'get_extra_field_options':
$obj = new ExtraFieldOption($type);
$columns = ['display_text', 'option_value', 'option_order'];
$sidx = in_array($sidx, $columns) ? $sidx : 'display_text';
$result = $obj->get_all([
'where' => ["field_id = ? " => $field_id],
'where' => ['field_id = ? ' => $field_id],
'order' => "$sidx $sord",
'LIMIT' => "$start , $limit",
]);

2
main/inc/lib/TicketManager.php
Unescape View File

@ -917,7 +917,7 @@ class TicketManager
)
)";
}
$sql .= " ORDER BY $column $direction";
$sql .= " ORDER BY `$column` $direction";
$sql .= " LIMIT $from, $number_of_items";
$result = Database::query($sql);

36
main/inc/lib/agenda.lib.php
Unescape View File

@ -154,6 +154,7 @@ class Agenda
*/
public function setType($type)
{
$type = (string) trim($type);
$typeList = $this->getTypes();
if (in_array($type, $typeList)) {
$this->type = $type;
@ -528,7 +529,6 @@ class Agenda
// @todo remove comment code
$startDateInLocal = new DateTime($newStartDate, new DateTimeZone($timeZone));
//$originalOffset = $startDate->getOffset();
if ($startDateInLocal->format('I') == 0) {
// Is saving time? Then fix UTC time to add time
$seconds = $startDateInLocal->getOffset();
@ -543,7 +543,6 @@ class Agenda
$startDateInLocalFixed = new DateTime($startDateFixed, new DateTimeZone($timeZone));
$newStartDate = $startDateInLocalFixed->format('Y-m-d H:i:s');*/
}
//var_dump($newStartDate.' - '.$startDateInLocal->format('I'));
$endDateInLocal = new DateTime($newEndDate, new DateTimeZone($timeZone));
if ($endDateInLocal->format('I') == 0) {
@ -1068,16 +1067,13 @@ class Agenda
$isAllowToEdit = $this->getIsAllowedToEdit();
if (!empty($courseId) && $isAllowToEdit) {
// Delete
$eventInfo = $this->get_event($id);
if ($deleteAllItemsFromSerie) {
/* This is one of the children.
Getting siblings and delete 'Em all + the father! */
if (isset($eventInfo['parent_event_id']) && !empty($eventInfo['parent_event_id'])) {
// Removing items.
$events = $this->getAllRepeatEvents(
$eventInfo['parent_event_id']
);
$events = $this->getAllRepeatEvents($eventInfo['parent_event_id']);
if (!empty($events)) {
foreach ($events as $event) {
$this->deleteEvent($event['id']);
@ -1245,9 +1241,7 @@ class Agenda
if (!empty($sessionList)) {
foreach ($sessionList as $sessionItem) {
$sessionId = $sessionItem['id'];
$courses = SessionManager::get_course_list_by_session_id(
$sessionId
);
$courses = SessionManager::get_course_list_by_session_id($sessionId);
$sessionInfo = [
'session_id' => $sessionId,
'courses' => $courses,
@ -1496,9 +1490,7 @@ class Agenda
);
if (!empty($event['parent_event_id'])) {
$event['parent_info'] = $this->get_event(
$event['parent_event_id']
);
$event['parent_info'] = $this->get_event($event['parent_event_id']);
}
$event['attachment'] = $this->getAttachmentList(
@ -2990,7 +2982,7 @@ class Agenda
}
}
if ($this->type == 'personal' && !api_is_anonymous()) {
if ($this->type === 'personal' && !api_is_anonymous()) {
$actionsLeft .= Display::url(
Display::return_icon('1day.png', get_lang('SessionsPlanCalendar'), [], ICON_SIZE_MEDIUM),
$codePath.'calendar/planification.php'
@ -3409,9 +3401,14 @@ class Agenda
$current_access_url_id = api_get_current_access_url_id();
if ($type == "month_view" or $type == "") {
if ($type == "month_view" || $type == "") {
// We are in month view
$sql = "SELECT * FROM ".$tbl_global_agenda." WHERE MONTH(start_date) = ".$month." AND YEAR(start_date) = ".$year." AND access_url_id = $current_access_url_id ORDER BY start_date ASC";
$sql = "SELECT * FROM ".$tbl_global_agenda."
WHERE
MONTH(start_date) = ".$month." AND
YEAR(start_date) = ".$year." AND
access_url_id = $current_access_url_id
ORDER BY start_date ASC";
}
// 2. creating the SQL statement for getting the personal agenda items in WEEK view
if ($type == "week_view") { // we are in week view
@ -3542,9 +3539,14 @@ class Agenda
$user_id = intval($user_id);
// 1. creating the SQL statement for getting the personal agenda items in MONTH view
if ($type == "month_view" or $type == "") {
if ($type === "month_view" || $type === "") {
// we are in month view
$sql = "SELECT * FROM ".$tbl_personal_agenda." WHERE user='".$user_id."' and MONTH(date)='".$month."' AND YEAR(date) = '".$year."' ORDER BY date ASC";
$sql = "SELECT * FROM $tbl_personal_agenda
WHERE
user='".$user_id."' AND
MONTH(date)='".$month."' AND
YEAR(date) = '".$year."'
ORDER BY date ASC";
}
// 2. creating the SQL statement for getting the personal agenda items in WEEK view

38
main/inc/lib/api.lib.php
Unescape View File

@ -13,8 +13,6 @@ use Symfony\Component\Finder\Finder;
* This library is in process of being transferred to src/Chamilo/CoreBundle/Component/Utils/ChamiloApi.
* Whenever a function is transferred to the ChamiloApi class, the places where it is used should include
* the "use Chamilo\CoreBundle\Component\Utils\ChamiloApi;" statement.
*
* @package chamilo.library
*/
// PHP version requirement.
@ -147,6 +145,7 @@ define('TOOL_ATTENDANCE', 'attendance');
define('TOOL_COURSE_PROGRESS', 'course_progress');
define('TOOL_PORTFOLIO', 'portfolio');
define('TOOL_PLAGIARISM', 'compilatio');
define('TOOL_XAPI', 'xapi');
// CONSTANTS defining Chamilo interface sections
define('SECTION_CAMPUS', 'mycampus');
@ -163,6 +162,7 @@ define('SECTION_DASHBOARD', 'dashboard');
define('SECTION_REPORTS', 'reports');
define('SECTION_GLOBAL', 'global');
define('SECTION_INCLUDE', 'include');
define('SECTION_CUSTOMPAGE', 'custompage');
// CONSTANT name for local authentication source
define('PLATFORM_AUTH_SOURCE', 'platform');
@ -228,6 +228,7 @@ define('LOG_EXERCISE_RESULT_DELETE', 'exe_result_deleted');
define('LOG_EXERCISE_ATTEMPT_DELETE', 'exe_attempt_deleted');
define('LOG_LP_ATTEMPT_DELETE', 'lp_attempt_deleted');
define('LOG_QUESTION_RESULT_DELETE', 'qst_attempt_deleted');
define('LOG_QUESTION_SCORE_UPDATE', 'score_attempt_updated');
define('LOG_MY_FOLDER_CREATE', 'my_folder_created');
define('LOG_MY_FOLDER_CHANGE', 'my_folder_changed');
@ -283,6 +284,10 @@ define('LOG_QUESTION_UPDATED', 'question_updated');
define('LOG_QUESTION_DELETED', 'question_deleted');
define('LOG_QUESTION_REMOVED_FROM_QUIZ', 'question_removed_from_quiz');
define('LOG_SURVEY_ID', 'survey_id');
define('LOG_SURVEY_CREATED', 'survey_created');
define('LOG_SURVEY_DELETED', 'survey_deleted');
define('LOG_SURVEY_CLEAN_RESULTS', 'survey_clean_results');
define('USERNAME_PURIFIER', '/[^0-9A-Za-z_\.-]/');
//used when login_is_email setting is true
@ -392,6 +397,7 @@ define('LINK_FORUM_THREAD', 5);
define('LINK_ATTENDANCE', 7);
define('LINK_SURVEY', 8);
define('LINK_HOTPOTATOES', 9);
define('LINK_PORTFOLIO', 10);
// Score display types constants
define('SCORE_DIV', 1); // X / Y
@ -480,6 +486,8 @@ define('RESULT_DISABLE_DONT_SHOW_SCORE_ONLY_IF_USER_FINISHES_ATTEMPTS_SHOW_ALWAY
define('RESULT_DISABLE_RANKING', 6);
define('RESULT_DISABLE_SHOW_ONLY_IN_CORRECT_ANSWER', 7);
define('RESULT_DISABLE_SHOW_SCORE_AND_EXPECTED_ANSWERS_AND_RANKING', 8);
define('RESULT_DISABLE_RADAR', 9);
define('RESULT_DISABLE_SHOW_SCORE_ATTEMPT_SHOW_ANSWERS_LAST_ATTEMPT_NO_FEEDBACK', 10);
define('EXERCISE_MAX_NAME_SIZE', 80);
@ -535,6 +543,7 @@ define('ITEM_TYPE_STUDENT_PUBLICATION', 6);
define('ITEM_TYPE_ATTENDANCE', 8);
define('ITEM_TYPE_SURVEY', 9);
define('ITEM_TYPE_FORUM_THREAD', 10);
define('ITEM_TYPE_PORTFOLIO', 11);
// one big string with all question types, for the validator in pear/HTML/QuickForm/Rule/QuestionType
define(
@ -1177,19 +1186,19 @@ function api_protect_course_script($print_headers = false, $allow_session_admins
default:
case COURSE_VISIBILITY_CLOSED:
// Completely closed: the course is only accessible to the teachers. - 0
if (api_get_user_id() && !api_is_anonymous() && $isAllowedInCourse) {
if ($isAllowedInCourse && api_get_user_id() && !api_is_anonymous()) {
$is_visible = true;
}
break;
case COURSE_VISIBILITY_REGISTERED:
// Private - access authorized to course members only - 1
if (api_get_user_id() && !api_is_anonymous() && $isAllowedInCourse) {
if ($isAllowedInCourse && api_get_user_id() && !api_is_anonymous()) {
$is_visible = true;
}
break;
case COURSE_VISIBILITY_OPEN_PLATFORM:
// Open - access allowed for users registered on the platform - 2
if (api_get_user_id() && !api_is_anonymous() && $isAllowedInCourse) {
if ($isAllowedInCourse && api_get_user_id() && !api_is_anonymous()) {
$is_visible = true;
}
break;
@ -2062,8 +2071,8 @@ function api_get_cidreq_params($courseCode, $sessionId = 0, $groupId = 0)
function api_get_cidreq($addSessionId = true, $addGroupId = true, $origin = '')
{
$courseCode = api_get_course_id();
$url = empty($courseCode) ? '' : 'cidReq='.htmlspecialchars($courseCode);
$origin = empty($origin) ? api_get_origin() : Security::remove_XSS($origin);
$url = empty($courseCode) ? '' : 'cidReq='.urlencode(htmlspecialchars($courseCode));
$origin = empty($origin) ? api_get_origin() : urlencode(Security::remove_XSS($origin));
if ($addSessionId) {
if (!empty($url)) {
@ -3422,9 +3431,9 @@ function api_is_allowed_to_edit(
//The student preview was on
if ($check_student_view && api_is_student_view_active()) {
return false;
} else {
return true;
}
return true;
}
$sessionId = api_get_session_id();
@ -3689,6 +3698,8 @@ function api_is_allowed($tool, $action, $task_id = 0)
return false;
}
}
return false;
}
/**
@ -4911,7 +4922,8 @@ function api_get_languages()
function api_get_languages_to_array()
{
$tbl_language = Database::get_main_table(TABLE_MAIN_LANGUAGE);
$sql = "SELECT * FROM $tbl_language WHERE available='1' ORDER BY original_name ASC";
$sql = "SELECT * FROM $tbl_language
WHERE available='1' ORDER BY original_name ASC";
$result = Database::query($sql);
$languages = [];
while ($row = Database::fetch_array($result)) {
@ -6599,7 +6611,11 @@ function api_is_in_group($groupIdParam = null, $courseCodeParam = null)
*/
function api_is_valid_secret_key($original_key_secret, $security_key)
{
return $original_key_secret == sha1($security_key);
if (empty($original_key_secret) || empty($security_key)) {
return false;
}
return (string) $original_key_secret === sha1($security_key);
}
/**

29
main/inc/lib/course.lib.php
Unescape View File

@ -148,9 +148,11 @@ class CourseManager
* @param int $orderby The column we want to order it by. Optional, defaults to first column.
* @param string $orderdirection The direction of the order (ASC or DESC). Optional, defaults to ASC.
* @param int $visibility the visibility of the course, or all by default
* @param string $startwith If defined, only return results for which the course *title* begins with this string
* @param string $startwith If defined, only return results for which the course *title* begins with this
* string
* @param string $urlId The Access URL ID, if using multiple URLs
* @param bool $alsoSearchCode An extension option to indicate that we also want to search for course codes (not *only* titles)
* @param bool $alsoSearchCode An extension option to indicate that we also want to search for course codes
* (not *only* titles)
* @param array $conditionsLike
* @param array $onlyThisCourseList
*
@ -159,7 +161,7 @@ class CourseManager
public static function get_courses_list(
$from = 0,
$howmany = 0,
$orderby = 1,
$orderby = 'title',
$orderdirection = 'ASC',
$visibility = -1,
$startwith = '',
@ -233,20 +235,25 @@ class CourseManager
}
}
if (!empty($orderby)) {
$sql .= " ORDER BY ".Database::escape_string($orderby)." ";
if (empty($orderby)) {
$sql .= ' ORDER BY title ';
} else {
$sql .= ' ORDER BY 1 ';
if (in_array($orderby, ['title'])) {
$sql .= " ORDER BY `".Database::escape_string($orderby)."` ";
} else {
$sql .= ' ORDER BY title ';
}
}
$orderdirection = strtoupper($orderdirection);
if (!in_array($orderdirection, ['ASC', 'DESC'])) {
$sql .= 'ASC';
} else {
$sql .= ($orderdirection == 'ASC' ? 'ASC' : 'DESC');
$sql .= $orderdirection === 'ASC' ? 'ASC' : 'DESC';
}
if (!empty($howmany) && is_int($howmany) and $howmany > 0) {
$sql .= ' LIMIT '.Database::escape_string($howmany);
$sql .= ' LIMIT '.(int) $howmany;
} else {
$sql .= ' LIMIT 1000000'; //virtually no limit
}
@ -349,8 +356,8 @@ class CourseManager
*/
public static function get_tutor_in_course_status($userId, $courseId)
{
$userId = intval($userId);
$courseId = intval($courseId);
$userId = (int) $userId;
$courseId = (int) $courseId;
$result = Database::fetch_array(
Database::query(
"SELECT is_tutor
@ -1301,7 +1308,7 @@ class CourseManager
// we have to check if it is a valid field that can be sorted on
if (!strstr($order_by, 'ORDER BY')) {
if (!empty($order_by)) {
$order_by = "ORDER BY $order_by";
$order_by = "ORDER BY $order_by ";
} else {
$order_by = '';
}

64
main/inc/lib/database.lib.php
Unescape View File

@ -21,6 +21,8 @@ class Database
private static $connection;
/**
* Set the DB manager instance.
*
* @param EntityManager $em
*/
public function setManager($em)
@ -29,7 +31,7 @@ class Database
}
/**
* @param Connection $connection
* Set the DB connection instance.
*/
public function setConnection(Connection $connection)
{
@ -37,6 +39,8 @@ class Database
}
/**
* Get the DB connection instance.
*
* @return Connection
*/
public function getConnection()
@ -45,6 +49,8 @@ class Database
}
/**
* Get the DB manager instance.
*
* @return EntityManager
*/
public static function getManager()
@ -105,11 +111,9 @@ class Database
/**
* Returns the number of affected rows in the last database operation.
*
* @param Statement $result
*
* @return int
*/
public static function affected_rows(Statement $result)
public static function affected_rows($result)
{
return $result->rowCount();
}
@ -210,7 +214,7 @@ class Database
}
/**
* Escape MySQL wildchars _ and % in LIKE search.
* Escape MySQL wildcards _ and % in LIKE search.
*
* @param string $text The string to escape
*
@ -245,12 +249,11 @@ class Database
/**
* Gets the array from a SQL result (as returned by Database::query).
*
* @param Statement $result
* @param string $option Optional: "ASSOC","NUM" or "BOTH"
*
* @return array|mixed
*/
public static function fetch_array(Statement $result, $option = 'BOTH')
public static function fetch_array($result, $option = 'BOTH')
{
if ($result === false) {
return [];
@ -262,11 +265,9 @@ class Database
/**
* Gets an associative array from a SQL result (as returned by Database::query).
*
* @param Statement $result
*
* @return array
*/
public static function fetch_assoc(Statement $result)
public static function fetch_assoc($result)
{
return $result->fetch(PDO::FETCH_ASSOC);
}
@ -275,11 +276,9 @@ class Database
* Gets the next row of the result of the SQL query
* (as returned by Database::query) in an object form.
*
* @param Statement $result
*
* @return mixed
*/
public static function fetch_object(Statement $result)
public static function fetch_object($result)
{
return $result->fetch(PDO::FETCH_OBJ);
}
@ -288,11 +287,9 @@ class Database
* Gets the array from a SQL result (as returned by Database::query)
* help achieving database independence.
*
* @param Statement $result
*
* @return mixed
*/
public static function fetch_row(Statement $result)
public static function fetch_row($result)
{
if ($result === false) {
return [];
@ -308,7 +305,7 @@ class Database
* Notes: Use this method if you are concerned about how much memory is being used for queries that return large result sets.
* Anyway, all associated result memory is automatically freed at the end of the script's execution.
*/
public static function free_result(Statement $result)
public static function free_result($result)
{
$result->closeCursor();
}
@ -324,11 +321,11 @@ class Database
}
/**
* @param Statement $result
* Wrapper for rowCount().
*
* @return int
*/
public static function num_rows(Statement $result)
public static function num_rows($result)
{
if ($result === false) {
return 0;
@ -341,13 +338,12 @@ class Database
* Acts as the relative *_result() function of most DB drivers and fetches a
* specific line and a field.
*
* @param Statement $resource
* @param int $row
* @param string $field
*
* @return mixed
*/
public static function result(Statement $resource, $row, $field = '')
public static function result($resource, $row, $field = '')
{
if ($resource->rowCount() > 0) {
$result = $resource->fetchAll(PDO::FETCH_BOTH);
@ -359,6 +355,8 @@ class Database
}
/**
* Wrapper for executeQuery().
*
* @param string $query
*
* @return Statement
@ -377,6 +375,8 @@ class Database
}
/**
* Deal with exceptions from the database extension.
*
* @param Exception $e
*/
public static function handleError($e)
@ -425,13 +425,13 @@ class Database
*
* @return array - the value returned by the query
*/
public static function store_result(Statement $result, $option = 'BOTH')
public static function store_result($result, $option = 'BOTH')
{
return $result->fetchAll(self::customOptionToDoctrineOption($option));
}
/**
* Database insert.
* Build an insert query.
*
* @param string $table_name
* @param array $attributes
@ -468,6 +468,8 @@ class Database
}
/**
* Build an update query.
*
* @param string $tableName use Database::get_main_table
* @param array $attributes Values to updates
* Example: $params['name'] = 'Julio'; $params['lastname'] = 'Montoya';
@ -535,7 +537,7 @@ class Database
* @param mixed $columns array (or string if only one column)
* @param string $table_name
* @param array $conditions
* @param string $type_result
* @param string $type_result all|first|count
* @param string $option
* @param bool $debug
*
@ -616,7 +618,7 @@ class Database
}
} else {
$value_array = self::escape_string($value_array);
$clean_values = $value_array;
$clean_values = [$value_array];
}
if (!empty($condition) && $clean_values != '') {
@ -644,7 +646,7 @@ class Database
if (!empty($order_array)) {
// 'order' => 'id desc, name desc'
$order_array = self::escape_string($order_array, null, false);
$order_array = self::escape_string($order_array);
$new_order_array = explode(',', $order_array);
$temp_value = [];
@ -659,10 +661,10 @@ class Database
if (in_array($element[1], ['desc', 'asc'])) {
$order = $element[1];
}
$temp_value[] = $element[0].' '.$order.' ';
$temp_value[] = ' `'.$element[0].'` '.$order.' ';
} else {
//by default DESC
$temp_value[] = $element[0].' DESC ';
$temp_value[] = ' `'.$element[0].'` DESC ';
}
}
if (!empty($temp_value)) {
@ -697,6 +699,8 @@ class Database
}
/**
* Build a delete query.
*
* @param string $table_name
* @param array $where_conditions
* @param bool $show_query
@ -764,6 +768,8 @@ class Database
}
/**
* Check if a given table exists.
*
* @param string $table
*
* @return bool
@ -774,6 +780,8 @@ class Database
}
/**
* List the columns of a given table.
*
* @param string $table
*
* @return \Doctrine\DBAL\Schema\Column[]

16
main/inc/lib/exercise.lib.php
Unescape View File

@ -138,9 +138,9 @@ class ExerciseLib
<table class="data_table">';
}
// Iterate through answers
// Iterate through answers.
$x = 1;
//mark letters for each answer
// Mark letters for each answer.
$letter = 'A';
$answer_matching = [];
$cpt1 = [];
@ -151,9 +151,7 @@ class ExerciseLib
// options (A, B, C, ...) that will be put into the list-box
// have the "correct" field set to 0 because they are answer
$cpt1[$x] = $letter;
$answer_matching[$x] = $objAnswerTmp->selectAnswerByAutoId(
$numAnswer
);
$answer_matching[$x] = $objAnswerTmp->selectAnswerByAutoId($numAnswer);
$x++;
$letter++;
}
@ -1838,8 +1836,9 @@ HOTSPOT;
}
$in_hotpot_path = Database::escape_string($in_hotpot_path);
$in_direction = Database::escape_string($in_direction);
$in_direction = !in_array(strtolower(trim($in_direction)), ['asc', 'desc']) ? 'asc' : $in_direction;
$in_column = Database::escape_string($in_column);
$in_number_of_items = intval($in_number_of_items);
$in_number_of_items = (int) $in_number_of_items;
$in_from = (int) $in_from;
$TBL_TRACK_HOTPOTATOES = Database::get_main_table(
@ -1863,7 +1862,7 @@ HOTSPOT;
}
// get a number of sorted results
$sql .= " $where_condition
ORDER BY $in_column $in_direction
ORDER BY `$in_column` $in_direction
LIMIT $in_from, $in_number_of_items";
$res = Database::query($sql);
@ -2239,9 +2238,10 @@ HOTSPOT;
$column = !empty($column) ? Database::escape_string($column) : null;
$from = (int) $from;
$number_of_items = (int) $number_of_items;
$direction = !in_array(strtolower(trim($direction)), ['asc', 'desc']) ? 'asc' : $direction;
if (!empty($column)) {
$sql .= " ORDER BY $column $direction ";
$sql .= " ORDER BY `$column` $direction ";
}
$sql .= " LIMIT $from, $number_of_items";

10
main/inc/lib/extra_field.lib.php
Unescape View File

@ -483,7 +483,8 @@ class ExtraField extends Model
* @param FormValidator $form The form object to which to attach this element
* @param int $itemId The item (course, user, session, etc) this extra_field is linked to
* @param array $exclude Variables of extra field to exclude
* @param bool $filter Whether to get only the fields with the "filter" flag set to 1 (true) or not (false)
* @param bool $filter Whether to get only the fields with the "filter" flag set to 1 (true)
* or not (false)
* @param bool $useTagAsSelect Whether to show tag fields as select drop-down or not
* @param array $showOnlyTheseFields Limit the extra fields shown to just the list given here
* @param array $orderFields An array containing the names of the fields shown, in the right order
@ -2977,8 +2978,8 @@ JAVASCRIPT;
{
$skillTable = Database::get_main_table(TABLE_MAIN_SKILL);
$tagRelExtraTable = Database::get_main_table(TABLE_MAIN_EXTRA_FIELD_REL_TAG);
$fieldId = intval($fieldId);
$tagId = intval($tagId);
$fieldId = (int) $fieldId;
$tagId = (int) $tagId;
$sql = "SELECT s.id
FROM $skillTable s INNER JOIN $tagRelExtraTable t
@ -3024,6 +3025,7 @@ JAVASCRIPT;
$tagRelExtraTable = Database::get_main_table(TABLE_MAIN_EXTRA_FIELD_REL_TAG);
$tagTable = Database::get_main_table(TABLE_MAIN_TAG);
$optionsTable = Database::get_main_table(TABLE_EXTRA_FIELD_OPTIONS);
$value = Database::escape_string(implode("','", $options));
$sql = "SELECT DISTINCT t.*, v.value, o.display_text
FROM $tagRelExtraTable te
@ -3033,7 +3035,7 @@ JAVASCRIPT;
ON (te.item_id = v.item_id AND v.field_id = $id)
INNER JOIN $optionsTable o
ON (o.option_value = v.value)
WHERE v.value IN ('".implode("','", $options)."')
WHERE v.value IN ('".$value."')
ORDER BY o.option_order, t.tag
";

112
main/inc/lib/fileUpload.lib.php
Unescape View File

@ -24,7 +24,7 @@
*/
function php2phps($file_name)
{
return preg_replace('/\.(php.?|phtml.?)(\.){0,1}.*$/i', '.phps', $file_name);
return preg_replace('/\.(phar.?|php.?|phtml.?)(\.){0,1}.*$/i', '.phps', $file_name);
}
/**
@ -238,7 +238,7 @@ function handle_uploaded_document(
$sessionId = null,
$treat_spaces_as_hyphens = true
) {
if (!$userId) {
if (empty($uploadedFile) || empty($userId) || empty($courseInfo) || empty($documentDir) || empty($uploadPath)) {
return false;
}
@ -268,6 +268,16 @@ function handle_uploaded_document(
return false;
}
if (!Security::check_abs_path($documentDir.$uploadPath, $documentDir.'/')) {
Display::addFlash(
Display::return_message(
get_lang('Forbidden'),
'error'
)
);
return false;
}
// If the want to unzip, check if the file has a .zip (or ZIP,Zip,ZiP,...) extension
if ($unzip == 1 && preg_match('/.zip$/', strtolower($uploadedFile['name']))) {
return unzip_uploaded_document(
@ -310,7 +320,7 @@ function handle_uploaded_document(
return false;
} else {
// If the upload path differs from / (= root) it will need a slash at the end
if ($uploadPath != '/') {
if ($uploadPath !== '/') {
$uploadPath = $uploadPath.'/';
}
@ -1055,47 +1065,34 @@ function unzip_uploaded_file($uploaded_file, $upload_path, $base_work_dir, $max_
/* Uncompressing phase */
/*
The first version, using OS unzip, is not used anymore
because it does not return enough information.
We need to process each individual file in the zip archive to
- add it to the database
- parse & change relative html links
*/
if (PHP_OS == 'Linux' && !get_cfg_var('safe_mode') && false) { // *** UGent, changed by OC ***
// Shell Method - if this is possible, it gains some speed
exec("unzip -d \"".$base_work_dir.$upload_path."/\"".$uploaded_file['name']." ".$uploaded_file['tmp_name']);
} else {
// PHP method - slower...
$save_dir = getcwd();
chdir($base_work_dir.$upload_path);
$unzippingState = $zip_file->extract();
for ($j = 0; $j < count($unzippingState); $j++) {
$state = $unzippingState[$j];
// Fix relative links in html files
$extension = strrchr($state['stored_filename'], '.');
}
if ($dir = @opendir($base_work_dir.$upload_path)) {
while ($file = readdir($dir)) {
if ($file != '.' && $file != '..') {
$filetype = 'file';
if (is_dir($base_work_dir.$upload_path.'/'.$file)) {
$filetype = 'folder';
}
$save_dir = getcwd();
chdir($base_work_dir.$upload_path);
$unzippingState = $zip_file->extract();
for ($j = 0; $j < count($unzippingState); $j++) {
$state = $unzippingState[$j];
$safe_file = api_replace_dangerous_char($file);
@rename($base_work_dir.$upload_path.'/'.$file, $base_work_dir.$upload_path.'/'.$safe_file);
set_default_settings($upload_path, $safe_file, $filetype);
// Fix relative links in html files
$extension = strrchr($state['stored_filename'], '.');
}
if ($dir = @opendir($base_work_dir.$upload_path)) {
while ($file = readdir($dir)) {
if ($file != '.' && $file != '..') {
$filetype = 'file';
if (is_dir($base_work_dir.$upload_path.'/'.$file)) {
$filetype = 'folder';
}
}
closedir($dir);
} else {
error_log('Could not create directory '.$base_work_dir.$upload_path.' to unzip files');
$safe_file = api_replace_dangerous_char($file);
@rename($base_work_dir.$upload_path.'/'.$file, $base_work_dir.$upload_path.'/'.$safe_file);
set_default_settings($upload_path, $safe_file, $filetype);
}
}
chdir($save_dir); // Back to previous dir position
closedir($dir);
} else {
error_log('Could not create directory '.$base_work_dir.$upload_path.' to unzip files');
}
chdir($save_dir); // Back to previous dir position
}
return true;
@ -1137,6 +1134,9 @@ function unzip_uploaded_document(
$onlyUploadFile = false,
$whatIfFileExists = 'overwrite'
) {
if (empty($courseInfo) || empty($userInfo) || empty($uploaded_file) || empty($uploadPath)) {
return false;
}
$zip = new PclZip($uploaded_file['tmp_name']);
// Check the zip content (real size and file extension)
@ -1221,6 +1221,26 @@ function clean_up_files_in_zip($p_event, &$p_header)
return 1;
}
function cleanZipFilesNoRename($p_event, &$p_header)
{
$originalStoredFileName = $p_header['stored_filename'];
$baseName = basename($originalStoredFileName);
// Skip files
$skipFiles = [
'__MACOSX',
'.Thumbs.db',
'Thumbs.db',
];
if (in_array($baseName, $skipFiles)) {
return 0;
}
$modifiedStoredFileName = clean_up_path($originalStoredFileName, false);
$p_header['filename'] = str_replace($originalStoredFileName, $modifiedStoredFileName, $p_header['filename']);
return 1;
}
/**
* Allow .htaccess file.
*
@ -1260,13 +1280,14 @@ function cleanZipFilesAllowHtaccess($p_event, &$p_header)
* by eliminating dangerous file names and cleaning them.
*
* @param string $path
* @param bool $replaceName
*
* @return string
*
* @see disable_dangerous_file()
* @see api_replace_dangerous_char()
*/
function clean_up_path($path)
function clean_up_path($path, $replaceName = true)
{
// Split the path in folders and files
$path_array = explode('/', $path);
@ -1274,7 +1295,10 @@ function clean_up_path($path)
foreach ($path_array as $key => &$val) {
// We don't want to lose the dots in ././folder/file (cfr. zipfile)
if ($val != '.') {
$val = disable_dangerous_file(api_replace_dangerous_char($val));
if ($replaceName) {
$val = api_replace_dangerous_char($val);
}
$val = disable_dangerous_file($val);
}
}
// Join the "cleaned" path (modified in-place as passed by reference)
@ -1596,10 +1620,10 @@ function search_img_from_html($html_file)
$buffer = fread($fp, $size_file);
if (strlen($buffer) >= 0 && $buffer !== false) {
} else {
die('<center>Can not read file.</center>');
exit('<center>Can not read file.</center>');
}
} else {
die('<center>Can not read file.</center>');
exit('<center>Can not read file.</center>');
}
$matches = [];
if (preg_match_all('~<[[:space:]]*img[^>]*>~i', $buffer, $matches)) {
@ -1707,7 +1731,7 @@ function create_unexisting_directory(
}
if (!is_dir($base_work_dir.$systemFolderName)) {
$result = mkdir(
$result = @mkdir(
$base_work_dir.$systemFolderName,
api_get_permissions_for_new_directories(),
true

39
main/inc/lib/groupmanager.lib.php
Unescape View File

@ -8,8 +8,6 @@ use Chamilo\CourseBundle\Entity\CGroupRelUser;
*
* @author Bart Mollet
*
* @package chamilo.library
*
* @todo Add $course_code parameter to all functions. So this GroupManager can
* be used outside a session.
*/
@ -90,6 +88,7 @@ class GroupManager
* @param int $status group status
* @param int $sessionId
* @param bool $getCount
* @param bool $notInGroup Get groups not in a category
*
* @return array an array with all information about the groups
*/
@ -645,18 +644,17 @@ class GroupManager
*/
public static function getGroupListFilterByName($name, $categoryId, $courseId)
{
$name = trim($name);
$name = Database::escape_string(trim($name));
$categoryId = (int) $categoryId;
$courseId = (int) $courseId;
if (empty($name)) {
return [];
}
$name = Database::escape_string($name);
$courseId = (int) $courseId;
$table_group = Database::get_course_table(TABLE_GROUP);
$sql = "SELECT * FROM $table_group
$table = Database::get_course_table(TABLE_GROUP);
$sql = "SELECT * FROM $table
WHERE c_id = $courseId AND name LIKE '%$name%'";
if (!empty($categoryId)) {
$categoryId = intval($categoryId);
$sql .= " AND category_id = $categoryId";
}
$sql .= " ORDER BY name";
@ -866,7 +864,7 @@ class GroupManager
$table_group = Database::get_course_table(TABLE_GROUP);
$table_group_cat = Database::get_course_table(TABLE_GROUP_CATEGORY);
$group_id = intval($group_id);
$group_id = (int) $group_id;
if (empty($group_id)) {
return [];
@ -1131,7 +1129,7 @@ class GroupManager
WHERE g.c_id = '.$course_info['real_id'].'
AND gu.c_id = g.c_id
AND gu.group_id = g.iid ';
if ($category_id != null) {
if (null != $category_id) {
$category_id = intval($category_id);
$sql .= ' AND g.category_id = '.$category_id;
}
@ -1221,14 +1219,14 @@ class GroupManager
g.id = $group_id";
if (!empty($column) && !empty($direction)) {
$column = Database::escape_string($column, null, false);
$direction = ($direction == 'ASC' ? 'ASC' : 'DESC');
$sql .= " ORDER BY $column $direction";
$column = Database::escape_string($column);
$direction = ('ASC' === $direction ? 'ASC' : 'DESC');
$sql .= " ORDER BY `$column` $direction";
}
if (!empty($start) && !empty($limit)) {
$start = intval($start);
$limit = intval($limit);
$start = (int) $start;
$limit = (int) $limit;
$sql .= " LIMIT $start, $limit";
}
$res = Database::query($sql);
@ -1466,11 +1464,10 @@ class GroupManager
public static function number_of_students($group_id, $course_id = null)
{
$table = Database::get_course_table(TABLE_GROUP_USER);
$group_id = intval($group_id);
$group_id = (int) $group_id;
$course_id = (int) $course_id;
if (empty($course_id)) {
$course_id = api_get_course_int_id();
} else {
$course_id = intval($course_id);
}
$sql = "SELECT COUNT(*) AS number_of_students
FROM $table
@ -1491,7 +1488,7 @@ class GroupManager
public static function maximum_number_of_students($group_id)
{
$table = Database::get_course_table(TABLE_GROUP);
$group_id = intval($group_id);
$group_id = (int) $group_id;
$course_id = api_get_course_int_id();
$sql = "SELECT max_student FROM $table
WHERE c_id = $course_id AND iid = $group_id";
@ -1620,8 +1617,8 @@ class GroupManager
return false;
}
$table = Database::get_course_table(TABLE_GROUP_USER);
$group_id = intval($groupInfo['id']);
$user_id = intval($user_id);
$group_id = (int) $groupInfo['id'];
$user_id = (int) $user_id;
$sql = "SELECT 1 FROM $table
WHERE

26
main/inc/lib/myspace.lib.php
Unescape View File

@ -8,8 +8,6 @@ use CpChart\Image as pImage;
/**
* Class MySpace.
*
* @package chamilo.reporting
*/
class MySpace
{
@ -480,7 +478,7 @@ class MySpace
}
}
if (!empty($order[$tracking_column])) {
$sqlCoachs .= ' ORDER BY '.$order[$tracking_column].' '.$tracking_direction;
$sqlCoachs .= " ORDER BY `".$order[$tracking_column]."` ".$tracking_direction;
}
$result_coaches = Database::query($sqlCoachs);
@ -1004,6 +1002,13 @@ class MySpace
$column,
$direction
) {
switch ($column) {
default:
case 1:
$column = 'title';
break;
}
$courses = CourseManager::get_courses_list(
$from,
$numberItems,
@ -1078,8 +1083,10 @@ class MySpace
null,
true
);
$progress += $progress_tmp[0];
$nb_progress_lp += $progress_tmp[1];
if ($progress_tmp) {
$progress += $progress_tmp[0];
$nb_progress_lp += $progress_tmp[1];
}
$score_tmp = Tracking::get_avg_student_score(
$row->user_id,
$course_code,
@ -2018,9 +2025,9 @@ class MySpace
$direction = 'ASC';
}
$column = intval($column);
$from = intval($from);
$number_of_items = intval($number_of_items);
$column = (int) $column;
$from = (int) $from;
$number_of_items = (int) $number_of_items;
$sql .= " ORDER BY col$column $direction ";
$sql .= " LIMIT $from,$number_of_items";
@ -2152,7 +2159,7 @@ class MySpace
}
$order = [
"$column $direction",
" `$column` $direction",
];
$userList = UserManager::get_user_list([], $order, $from, $numberItems);
$return = [];
@ -2836,6 +2843,7 @@ class MySpace
$numberItems = (int) $numberItems;
$column = (int) $column;
$orderDirection = Database::escape_string($orderDirection);
$orderDirection = !in_array(strtolower(trim($orderDirection)), ['asc', 'desc']) ? 'asc' : $orderDirection;
$user = Database::get_main_table(TABLE_MAIN_USER);
$course = Database::get_main_table(TABLE_MAIN_COURSE);

6
main/inc/lib/notebook.lib.php
Unescape View File

@ -8,8 +8,6 @@ use ChamiloSession as Session;
* Include/require it in your code to use its features.
*
* @author Carlos Vargas <litox84@gmail.com>, move code of main/notebook up here
*
* @package chamilo.library
*/
class NotebookManager
{
@ -276,12 +274,12 @@ class NotebookManager
// Database table definition
$table = Database::get_course_table(TABLE_NOTEBOOK);
$order_by = ' ORDER BY '.$notebookView." $sort_direction ";
$order_by = " ORDER BY `$notebookView` $sort_direction ";
// Condition for the session
$condition_session = api_get_session_condition($sessionId);
$cond_extra = $notebookView == 'update_date' ? " AND update_date <> ''" : ' ';
$cond_extra = $notebookView === 'update_date' ? " AND update_date <> ''" : ' ';
$course_id = api_get_course_int_id();
$sql = "SELECT * FROM $table

10
main/inc/lib/nusoap/class.wsdl.php
Unescape View File

@ -762,6 +762,8 @@ class wsdl extends nusoap_base
$this->setError("Neither _SERVER nor HTTP_SERVER_VARS is available");
}
$url = '<a href="'.$PHP_SELF.'?wsdl">WSDL</a>';
$url = Security::remove_XSS($url);
$b = '
<html><head><title>NuSOAP: '.$this->serviceName.'</title>
<style type="text/css">
@ -842,7 +844,7 @@ class wsdl extends nusoap_base
<br><br>
<div class=title>'.$this->serviceName.'</div>
<div class=nav>
<p>View the <a href="'.$PHP_SELF.'?wsdl">WSDL</a> for the service.
<p>View the '.$url.' for the service.
Click on an operation name to view it&apos;s details.</p>
<ul>';
foreach($this->getOperations() as $op => $data){
@ -852,13 +854,13 @@ class wsdl extends nusoap_base
<a href='#' onclick='popout()'><font color='#ffffff'>Close</font></a><br><br>";
foreach($data as $donnie => $marie){ // loop through opdata
if($donnie == 'input' || $donnie == 'output'){ // show input/output data
$b .= "<font color='white'>".ucfirst($donnie).':</font><br>';
$b .= Security::remove_XSS("<font color='white'>".ucfirst($donnie).':</font><br>');
foreach($marie as $captain => $tenille){ // loop through data
if($captain == 'parts'){ // loop thru parts
$b .= "&nbsp;&nbsp;$captain:<br>";
//if(is_array($tenille)){
foreach($tenille as $joanie => $chachi){
$b .= "&nbsp;&nbsp;&nbsp;&nbsp;$joanie: $chachi<br>";
$b .= Security::remove_XSS("&nbsp;&nbsp;&nbsp;&nbsp;$joanie: $chachi<br>");
}
//}
} else {
@ -866,7 +868,7 @@ class wsdl extends nusoap_base
}
}
} else {
$b .= "<font color='white'>".ucfirst($donnie).":</font> $marie<br>";
$b .= Security::remove_XSS("<font color='white'>".ucfirst($donnie).":</font> $marie<br>");
}
}
$b .= '</div>';

18
main/inc/lib/online.inc.php
Unescape View File

@ -10,13 +10,9 @@ use ChamiloSession as Session;
* @author Denes Nagy, principal author
* @author Bart Mollet
* @author Roan Embrechts, cleaning and bugfixing
*
* @package chamilo.whoisonline
*/
/**
* Insert a login reference for the current user into the track_e_online stats table.
* This table keeps trace of the last login. Nothing else matters (we don't keep traces of anything older).
* Insert a login reference for the current user into the track_e_online stats
* table. This table keeps trace of the last login. Nothing else matters (we
* don't keep traces of anything older).
*
* @param int user id
*/
@ -290,14 +286,14 @@ function who_is_online(
friend_user_id <> '".api_get_user_id()."' AND
relation_type='".USER_RELATION_TYPE_FRIEND."' AND
user_id = '".api_get_user_id()."'
ORDER BY $column $direction
ORDER BY `$column` $direction
LIMIT $from, $number_of_items";
} else {
$query = "SELECT DISTINCT login_user_id, login_date
FROM ".$track_online_table." e
INNER JOIN ".$table_user." u ON (u.id = e.login_user_id)
WHERE u.status != ".ANONYMOUS." AND login_date >= '".$current_date."'
ORDER BY $column $direction
ORDER BY `$column` $direction
LIMIT $from, $number_of_items";
}
@ -313,7 +309,7 @@ function who_is_online(
login_date >= '".$current_date."' AND
friend_user_id <> '".api_get_user_id()."' AND
relation_type='".USER_RELATION_TYPE_FRIEND."'
ORDER BY $column $direction
ORDER BY `$column` $direction
LIMIT $from, $number_of_items";
} else {
// all users online
@ -323,7 +319,7 @@ function who_is_online(
ON (u.id=track.login_user_id)
WHERE u.status != ".ANONYMOUS." AND track.access_url_id = $access_url_id AND
login_date >= '".$current_date."'
ORDER BY $column $direction
ORDER BY `$column` $direction
LIMIT $from, $number_of_items";
}
}

28
main/inc/lib/sessionmanager.lib.php
Unescape View File

@ -315,16 +315,6 @@ class SessionManager
$sessionFieldValue = new ExtraFieldValue('session');
$sessionFieldValue->saveFieldValues($extraFields);
/*
Sends a message to the user_id = 1
$user_info = api_get_user_info(1);
$complete_name = $user_info['firstname'].' '.$user_info['lastname'];
$subject = api_get_setting('siteName').' - '.get_lang('ANewSessionWasCreated');
$message = get_lang('ANewSessionWasCreated')." <br /> ".get_lang('NameOfTheSession').' : '.$name;
api_mail_html($complete_name, $user_info['email'], $subject, $message);
*
*/
// Adding to the correct URL
UrlManager::add_session_to_url($session_id, $accessUrlId);
@ -335,7 +325,7 @@ class SessionManager
LOG_SESSION_ID,
$session_id,
api_get_utc_datetime(),
$user_id
api_get_user_id()
);
}
@ -3590,7 +3580,7 @@ class SessionManager
}
if (!empty($order)) {
$sql_query .= " ORDER BY $order $direction ";
$sql_query .= " ORDER BY `$order` $direction ";
}
}
@ -3949,7 +3939,7 @@ class SessionManager
// Inserting new sessions list.
if (!empty($sessions_list) && is_array($sessions_list)) {
foreach ($sessions_list as $session_id) {
$session_id = intval($session_id);
$session_id = (int) $session_id;
$sql = "SELECT session_id
FROM $tbl_session_rel_user
WHERE
@ -4211,8 +4201,11 @@ class SessionManager
if ($getCount) {
$row = Database::fetch_array($result);
if ($row) {
return (int) $row['count'];
}
return $row['count'];
return 0;
}
$sessions = [];
@ -4588,8 +4581,11 @@ class SessionManager
$result = Database::query($sql);
if ($getCount) {
$count = Database::fetch_assoc($result);
if ($count) {
return (int) $count['count'];
}
return $count['count'];
return 0;
}
$return = [];
@ -6546,7 +6542,7 @@ SQL;
if (!empty($column) && !empty($direction)) {
$column = str_replace('u.', '', $column);
$sql .= " ORDER BY $column $direction ";
$sql .= " ORDER BY `$column` $direction ";
}
$sql .= $limitCondition;
$result = Database::query($sql);

8
main/inc/lib/statistics.lib.php
Unescape View File

@ -267,9 +267,9 @@ class Statistics
$table_user = Database::get_main_table(TABLE_MAIN_USER);
$access_url_rel_user_table = Database::get_main_table(TABLE_MAIN_ACCESS_URL_REL_USER);
$urlId = api_get_current_access_url_id();
$column = intval($column);
$from = intval($from);
$numberOfItems = intval($numberOfItems);
$column = (int) $column;
$from = (int) $from;
$numberOfItems = (int) $numberOfItems;
$direction = strtoupper($direction);
if (!in_array($direction, ['ASC', 'DESC'])) {
@ -946,7 +946,7 @@ class Statistics
HAVING t.c_id <> ''
AND DATEDIFF( '".api_get_utc_datetime()."' , access_date ) <= ".$date_diff;
}
$sql .= ' ORDER BY '.$columns[$column].' '.$sql_order[$direction];
$sql .= ' ORDER BY `'.$columns[$column].'` '.$sql_order[$direction];
$from = ($page_nr - 1) * $per_page;
$sql .= ' LIMIT '.$from.','.$per_page;

7
main/inc/lib/tracking.lib.php
Unescape View File

@ -15,8 +15,6 @@ use ExtraField as ExtraFieldModel;
* Class Tracking.
*
* @author Julio Montoya <gugli100@gmail.com>
*
* @package chamilo.library
*/
class Tracking
{
@ -3848,7 +3846,7 @@ class Tracking
if (in_array($orderByName, ['name', 'access_start_date'])) {
$orderByDirection = in_array(strtolower($orderByDirection), ['asc', 'desc']) ? $orderByDirection : 'asc';
$orderByName = Database::escape_string($orderByName);
$orderBy .= " ORDER BY $orderByName $orderByDirection";
$orderBy .= " ORDER BY `$orderByName` $orderByDirection";
}
}
@ -7110,7 +7108,8 @@ class TrackingCourseLog
$table_item_property = Database::get_course_table(TABLE_ITEM_PROPERTY);
$table_user = Database::get_main_table(TABLE_MAIN_USER);
$table_session = Database::get_main_table(TABLE_MAIN_SESSION);
$session_id = intval($session_id);
$column = (int) $column;
$direction = !in_array(strtolower(trim($direction)), ['asc', 'desc']) ? 'asc' : $direction;
$sql = "SELECT
tool as col0,

8
main/inc/lib/usermanager.lib.php
Unescape View File

@ -2536,7 +2536,7 @@ class UserManager
$field_filter = (int) $field_filter;
$sqlf .= " AND filter = $field_filter ";
}
$sqlf .= " ORDER BY ".$columns[$column]." $sort_direction ";
$sqlf .= " ORDER BY `".$columns[$column]."` $sort_direction ";
if ($number_of_items != 0) {
$sqlf .= " LIMIT ".intval($from).','.intval($number_of_items);
}
@ -2841,7 +2841,9 @@ class UserManager
return $extra_data;
}
/** Get extra user data by field
/**
* Get extra user data by field.
*
* @param int user ID
* @param string the internal variable name of the field
*
@ -5189,7 +5191,7 @@ class UserManager
if (!empty($column) && !empty($direction)) {
// Fixing order due the UNIONs
$column = str_replace('u.', '', $column);
$orderBy = " ORDER BY $column $direction ";
$orderBy = " ORDER BY `$column` $direction ";
}
}

6
main/inc/lib/zombie/zombie_manager.class.php
Unescape View File

@ -86,10 +86,10 @@ class ZombieManager
$sql .= ' AND user.active = 1';
}
$sql .= " ORDER BY $column $direction";
$sql .= " ORDER BY `$column` $direction";
if (!is_null($from) && !is_null($count)) {
$count = intval($count);
$from = intval($from);
$count = (int) $count;
$from = (int) $from;
$sql .= " LIMIT $from, $count ";
}

4
main/permissions/roles.php
Unescape View File

@ -1,8 +1,6 @@
<?php
/**
* @package chamilo.permissions
*/
require '../inc/global.inc.php';
api_protect_course_script();
require_once 'permissions_functions.inc.php';
require_once 'all_permissions.inc.php';

4
main/session/session_category_list.php
Unescape View File

@ -2,8 +2,6 @@
/* For licensing terms, see /license.txt */
/**
* List sessions categories.
*
* @package chamilo.admin
*/
$cidReset = true;
@ -87,7 +85,7 @@ if (isset($_GET['search']) && $_GET['search'] === 'advanced') {
) as nbr_session
FROM $tbl_session_category sc
$where
ORDER BY $sort $order
ORDER BY `$sort` $order
LIMIT $from,".($limit + 1);
$query_rows = "SELECT count(*) as total_rows

7
main/session/session_course_list.php
Unescape View File

@ -1,8 +1,5 @@
<?php
/* For licensing terms, see /license.txt */
/**
* @package chamilo.admin
*/
$cidReset = true;
require_once __DIR__.'/../inc/global.inc.php';
@ -34,7 +31,7 @@ if (!list($session_name) = Database::fetch_row($result)) {
exit;
}
if ($action == 'delete') {
if ($action === 'delete') {
$idChecked = $_REQUEST['idChecked'];
if (is_array($idChecked) && count($idChecked) > 0) {
$my_temp = [];
@ -58,7 +55,7 @@ $from = $page * $limit;
$sql = "SELECT c.id, c.code, c.title, nbr_users
FROM $tbl_session_rel_course, $tbl_course c
WHERE c_id = c.id AND session_id='$id_session'
ORDER BY $sort
ORDER BY `$sort`
LIMIT $from,".($limit + 1);
$result = Database::query($sql);
$Courses = Database::store_result($result);

11
main/session/session_course_user_list.php
Unescape View File

@ -1,9 +1,6 @@
<?php
/* For licensing terms, see /license.txt */
/**
* @package chamilo.admin
*/
$cidReset = true;
require_once __DIR__.'/../inc/global.inc.php';
@ -26,7 +23,7 @@ $course_code = Database::escape_string(trim($_GET['course_code']));
$courseInfo = api_get_course_info($course_code);
$courseId = $courseInfo['real_id'];
$page = isset($_GET['page']) ? intval($_GET['page']) : null;
$page = isset($_GET['page']) ? (int) $_GET['page'] : null;
$action = isset($_REQUEST['action']) ? $_REQUEST['action'] : null;
$default_sort = api_sort_by_first_name() ? 'firstname' : 'lastname';
$sort = isset($_GET['sort']) && in_array($_GET['sort'], ['lastname', 'firstname', 'username'])
@ -44,7 +41,7 @@ if (is_array($idChecked)) {
$my_temp = [];
foreach ($idChecked as $id) {
// forcing the intval
$my_temp[] = intval($id);
$my_temp[] = (int) $id;
}
$idChecked = $my_temp;
}
@ -94,7 +91,7 @@ $sql = "
LEFT JOIN $tbl_session_rel_course_rel_user scru
ON (s.session_id = scru.session_id AND s.user_id = scru.user_id AND scru.c_id = $courseId)
WHERE s.session_id = $id_session
ORDER BY $sort $direction
ORDER BY `$sort` $direction
LIMIT $from,".($limit + 1);
if ($direction == 'desc') {
@ -106,7 +103,7 @@ if ($direction == 'desc') {
$result = Database::query($sql);
$users = Database::store_result($result);
$nbr_results = sizeof($users);
$nbr_results = count($users);
$tool_name = get_lang('Session').': '.$session_name.' - '.get_lang('Course').': '.$course_title;

1
main/upload/index.php
Unescape View File

@ -20,6 +20,7 @@ require_once __DIR__.'/../inc/global.inc.php';
$_course = api_get_course_info();
api_protect_course_script(true);
$htmlHeadXtra[] = "<script>
function check_unzip() {
if (document.upload.unzip.checked) {

1
main/upload/upload.document.php
Unescape View File

@ -1,6 +1,7 @@
<?php
/* For licensing terms, see /license.txt */
exit;
/**
* Process part of the document sub-process for upload. This script MUST BE included by upload/index.php
* as it prepares most of the variables needed here.

3
main/upload/upload.php
Unescape View File

@ -13,6 +13,7 @@ use ChamiloSession as Session;
*/
require_once __DIR__.'/../inc/global.inc.php';
api_protect_course_script(true);
$toolFromSession = Session::read('my_tool');
// return to index if no tool is set
@ -40,6 +41,6 @@ switch ($toolFromSession) {
case TOOL_STUDENTPUBLICATION:
case TOOL_DOCUMENT:
default:
require 'upload.document.php';
//require 'upload.document.php';
break;
}

1
main/upload/upload_ppt.php
Unescape View File

@ -13,6 +13,7 @@ use Chamilo\CoreBundle\Component\Utils\ChamiloApi;
*/
require_once __DIR__.'/../inc/global.inc.php';
api_protect_course_script(true);
if (isset($_POST['convert'])) {
$cwdir = getcwd();
if (isset($_FILES['user_file'])) {

1
main/upload/upload_word.php
Unescape View File

@ -12,6 +12,7 @@
*/
require_once __DIR__.'/../inc/global.inc.php';
api_protect_course_script(true);
$form_style = '<style>
.row {
width: 200px;

4
main/user/subscribe_user.php
Unescape View File

@ -7,8 +7,6 @@ use ExtraField as ExtraFieldModel;
/**
* This script allows teachers to subscribe existing users
* to their course.
*
* @package chamilo.user
*/
require_once __DIR__.'/../inc/global.inc.php';
$current_course_tool = TOOL_USER;
@ -660,6 +658,8 @@ function get_user_data($from, $number_of_items, $column, $direction)
}
$sql .= " AND u.status != ".ANONYMOUS." ";
$column = (int) $column;
$direction = !in_array(strtolower(trim($direction)), ['asc', 'desc']) ? 'asc' : $direction;
// Sorting and pagination (used by the sortable table)
$sql .= " ORDER BY col$column $direction ";
$from = (int) $from;

5
main/webservices/cm_webservice_inbox.php
Unescape View File

@ -107,13 +107,16 @@ class WSCMInbox extends WSCM
$from,
$number_of_items
) {
$from = (int) $from;
$number_of_items = (int) $number_of_items;
if ($this->verifyUserPass($username, $password) == "valid") {
$user_id = UserManager::get_user_id_from_username($username);
$table_message = Database::get_main_table(TABLE_MESSAGE);
$sql_query = "SELECT id FROM $table_message
WHERE user_sender_id=".$user_id." AND msg_status=".MESSAGE_STATUS_OUTBOX."
ORDER BY send_date LIMIT $from,$number_of_items";
ORDER BY send_date
LIMIT $from,$number_of_items";
$sql_result = Database::query($sql_query);
$message = "#";

2
main/webservices/cm_webservice_user.php
Unescape View File

@ -196,7 +196,7 @@ class WSCMUser extends WSCM
}
$order = '';
foreach ($order_by as $orderByItem) {
$order .= Database::escape_string($orderByItem, null, false).', ';
$order .= Database::escape_string($orderByItem).', ';
}
$order = substr($order, 0, -2);
if (count($order_by) > 0) {

65
main/work/work.lib.php
Unescape View File

@ -5,8 +5,6 @@ use Chamilo\CourseBundle\Entity\CStudentPublication;
use ChamiloSession as Session;
/**
* @package chamilo.work
*
* @author Thomas, Hugues, Christophe - original version
* @author Patrick Cool <patrick.cool@UGent.be>, Ghent University -
* ability for course admins to specify wether uploaded documents are visible or invisible by default.
@ -26,8 +24,8 @@ use ChamiloSession as Session;
*/
function displayWorkActionLinks($id, $action, $isTutor)
{
$id = $my_back_id = intval($id);
if ($action == 'list') {
$id = $my_back_id = (int) $id;
if ('list' == $action) {
$my_back_id = 0;
}
@ -83,7 +81,7 @@ function displayWorkActionLinks($id, $action, $isTutor)
function get_work_data_by_path($path, $courseId = 0)
{
$path = Database::escape_string($path);
$courseId = intval($courseId);
$courseId = (int) $courseId;
if (empty($courseId)) {
$courseId = api_get_course_int_id();
}
@ -169,8 +167,8 @@ function get_work_data_by_id($id, $courseId = 0, $sessionId = 0)
*/
function get_work_count_by_student($user_id, $work_id)
{
$user_id = intval($user_id);
$work_id = intval($work_id);
$user_id = (int) $user_id;
$work_id = (int) $work_id;
$course_id = api_get_course_int_id();
$session_id = api_get_session_id();
$sessionCondition = api_get_session_condition($session_id);
@ -188,7 +186,7 @@ function get_work_count_by_student($user_id, $work_id)
$return = 0;
if (Database::num_rows($result)) {
$return = Database::fetch_row($result, 'ASSOC');
$return = intval($return[0]);
$return = (int) ($return[0]);
}
return $return;
@ -202,11 +200,11 @@ function get_work_count_by_student($user_id, $work_id)
*/
function get_work_assignment_by_id($id, $courseId = 0)
{
$courseId = intval($courseId);
$courseId = (int) $courseId;
if (empty($courseId)) {
$courseId = api_get_course_int_id();
}
$id = intval($id);
$id = (int) $id;
$table = Database::get_course_table(TABLE_STUDENT_PUBLICATION_ASSIGNMENT);
$sql = "SELECT * FROM $table
WHERE c_id = $courseId AND publication_id = $id";
@ -360,10 +358,10 @@ function getUniqueStudentAttemptsTotal($workId, $groupId, $course_id, $sessionId
{
$work_table = Database::get_course_table(TABLE_STUDENT_PUBLICATION);
$user_table = Database::get_main_table(TABLE_MAIN_USER);
$course_id = intval($course_id);
$workId = intval($workId);
$sessionId = intval($sessionId);
$groupId = intval($groupId);
$course_id = (int) $course_id;
$workId = (int) $workId;
$sessionId = (int) $sessionId;
$groupId = (int) $groupId;
$sessionCondition = api_get_session_condition(
$sessionId,
true,
@ -416,7 +414,7 @@ function getUniqueStudentAttempts(
$work_table = Database::get_course_table(TABLE_STUDENT_PUBLICATION);
$user_table = Database::get_main_table(TABLE_MAIN_USER);
$course_id = intval($course_id);
$course_id = (int) $course_id;
$workCondition = null;
if (is_array($workId)) {
$workId = array_map('intval', $workId);
@ -427,8 +425,8 @@ function getUniqueStudentAttempts(
$workCondition = " w.parent_id = ".$workId." AND";
}
$sessionId = intval($sessionId);
$groupId = intval($groupId);
$sessionId = (int) $sessionId;
$groupId = (int) $groupId;
$studentCondition = null;
if (!empty($onlyUserList)) {
@ -1250,7 +1248,7 @@ function getWorkListStudent(
$where_condition
";
$sql .= " ORDER BY $column $direction ";
$sql .= " ORDER BY `$column` $direction ";
if (!empty($start) && !empty($limit)) {
$sql .= " LIMIT $start, $limit";
@ -1374,8 +1372,8 @@ function getWorkListTeacher(
}
$column = !empty($column) ? Database::escape_string($column) : 'sent_date';
$start = intval($start);
$limit = intval($limit);
$start = (int) $start;
$limit = (int) $limit;
$works = [];
// Get list from database
@ -1397,7 +1395,7 @@ function getWorkListTeacher(
parent_id = 0 AND
post_group_id = $groupIid
$where_condition
ORDER BY $column $direction
ORDER BY `$column` $direction
LIMIT $start, $limit";
$result = Database::query($sql);
@ -1405,7 +1403,7 @@ function getWorkListTeacher(
if ($getCount) {
$row = Database::fetch_array($result);
return $row['count'];
return (int) $row['count'];
}
$url = api_get_path(WEB_CODE_PATH).'work/work_list_all.php?'.api_get_cidreq();
@ -1629,8 +1627,8 @@ function get_work_user_list_from_documents(
)
)";
$start = intval($start);
$limit = intval($limit);
$start = (int) $start;
$limit = (int) $limit;
$direction = in_array(strtolower($direction), ['desc', 'asc']) ? $direction : 'desc';
$column = Database::escape_string($column);
@ -1642,7 +1640,7 @@ function get_work_user_list_from_documents(
return $result['count'];
}
$sql .= " ORDER BY $column $direction";
$sql .= " ORDER BY `$column` $direction";
$sql .= " LIMIT $start, $limit";
$result = Database::query($sql);
@ -1900,7 +1898,7 @@ function get_work_user_list(
$whereCondition
$condition_session
AND u.status != ".INVITEE."
ORDER BY $column $direction";
ORDER BY `$column` $direction";
if (!empty($start) && !empty($limit)) {
$sql .= " LIMIT $start, $limit";
@ -1910,8 +1908,11 @@ function get_work_user_list(
if ($getCount) {
$work = Database::fetch_array($result, 'ASSOC');
if ($work) {
return (int) $work['count'];
}
return $work['count'];
return 0;
}
$url = api_get_path(WEB_CODE_PATH).'work/';
@ -3001,8 +3002,8 @@ function getWorkComments($work)
$commentTable = Database::get_course_table(TABLE_STUDENT_PUBLICATION_ASSIGNMENT_COMMENT);
$userTable = Database::get_main_table(TABLE_MAIN_USER);
$courseId = intval($work['c_id']);
$workId = intval($work['id']);
$courseId = (int) $work['c_id'];
$workId = (int) $work['id'];
if (empty($courseId) || empty($workId)) {
return [];
@ -4924,8 +4925,8 @@ function getWorkUserList($courseCode, $sessionId, $groupId, $start, $limit, $sid
} else {
$limitString = null;
if (!empty($start) && !empty($limit)) {
$start = intval($start);
$limit = intval($limit);
$start = (int) $start;
$limit = (int) $limit;
$limitString = " LIMIT $start, $limit";
}
@ -4933,7 +4934,7 @@ function getWorkUserList($courseCode, $sessionId, $groupId, $start, $limit, $sid
if (!empty($sidx) && !empty($sord)) {
if (in_array($sidx, ['firstname', 'lastname'])) {
$orderBy = "ORDER BY $sidx $sord";
$orderBy = "ORDER BY `$sidx` $sord";
}
}

4
plugin/notebookteacher/src/NotebookTeacher.php
Unescape View File

@ -301,9 +301,9 @@ class NotebookTeacher
// Database table definition
$tableNotebook = Database::get_main_table(NotebookTeacherPlugin::TABLE_NOTEBOOKTEACHER);
if ($view == 'creation_date' || $view == 'update_date') {
$orderBy = " ORDER BY $view $sortDirection ";
$orderBy = " ORDER BY `$view` $sortDirection ";
} else {
$orderBy = " ORDER BY $view $sortDirection ";
$orderBy = " ORDER BY `$view` $sortDirection ";
}
// condition for the session

Write Preview
Loading…
Cancel
Save